This is part of The Pile, a partial archive of some open source mailing lists and newsgroups.
Subject: Re: Any comments? Fwd: [LAW] Security problem in RH 6.2
From: "Mikkel L. Ellertson" <mikkel@Infinity-ltd.com>
Date: Thu, 27 Apr 2000 11:56:39 -0500
At 09:00 AM 4/27/00 +1200, you wrote:
>I havent seen any mention of this on the list, but it seems to be an
important
>point.
>
>
>
> http://news.cnet.com/news/0-1003-200-1757740.html
>
It was announced on the RedHad Announce and Security lists, along with the
fix. It looks like someone at Redhat goofed, and released the original
package with the testing passwords in it. It is not the first mistake they
have made, and it probably will not be the last. That is one reason you
wait a bit before installing the latest release on a production server...
Mikkel
===
Subject: SECURITY: UPDATED - RHSA-2000:014 New Piranha release available
From: Cristian Gafton <gafton@redhat.com>
Date: Wed, 26 Apr 2000 20:46:46 -0400 (EDT)
-----BEGIN PGP SIGNED MESSAGE-----
- ---------------------------------------------------------------------
Red Hat, Inc. Security Advisory
Synopsis: Piranha web GUI exposure
Advisory ID: RHSA-2000:014-16
Issue date: 2000-04-18
Updated on: 2000-04-26
Product: Red Hat Linux
Keywords: piranha
Cross references: php
- ---------------------------------------------------------------------
1. Topic:
The GUI portion of Piranha may allow any remote attacker to execute
commands on the server. This may allow a remote attacker to launch
additional exploits against a web site from inside the web server.
This is an updated release that disables Piranha's web GUI interface
unless the site administrator enables it explicitly.
2. Relevant releases/architectures:
Red Hat Linux 6.2 - i386 alpha sparc
3. Problem description:
When Piranha is installed, it generates a 'secure' web interface ID using
the HTML .htaccess method. The information for the account is placed in
/home/httpd/html/piranha/secure/passwords which was supposed to be
released with a blank password. Unfortunately, the password that is
actually on the CD is 'Q'.
The original intent was that, when the administrator installed Piranha
rpms onto their box, that they would change the default blank password to
a password of their own choosing.
This is not a hidden account. Its only use is to protect the web pages
from unauthorized access.
The security problem arises from the
http://localhost/piranha/secure/passwd.php3 file. It is possible to
execute commands by entering 'blah;some-command' into the password fields.
Everything after the semicolon is executed with the same privilege as the
webserver.
Because of this, it is possible to compromise the webserver or do serious
damage to files on the site that are owned by the user 'nobody' or to
export a shell using xterm.
Updated piranha packages released as version 0.14.3-1 fixed the security
vulnerability while still require for the default behavior of requiring
the web administrator to reset the password before making the web site
public.
Because of the security concerns from the community and in order to
protect innocent administrators that might not be aware of the need to
change the password for Piranha's interface before going live on the
Internet, Red Hat is releasing a new set of packages that disable the
piranha web interface by default. The site administrator will have to
enable the service from the command line by resetting the password as
detailed on the main page of the piranha utility.
The new packages that include these changes are known as version
piranha-0.4.14-1.
Users of Red Hat Linux 6.2 are strongly encouraged to upgrade to the new
packages if they are actively using piranha on their system (upgrade
instructions follow) or to remove the piranha-gui package altogether by
issuing the following command:
rpm -e piranha-gui
4. Solution:
For each RPM for your particular architecture, run:
rpm -Fvh [filename]
where filename is the name of the RPM.
When you install the update for the piranha-gui, please take a moment to
review the instructions presented on the following URL
(http://localhost/piranha). This should guide you through the process of
installing a password for use with the GUI.
5. Bug IDs fixed (http://bugzilla.redhat.com/bugzilla for more info):
N/A
6. Obsoleted by:
N/A
7. Conflicts with:
N/A
8. RPMs required:
Red Hat Linux 6.2:
intel:
ftp://updates.redhat.com/6.2/i386/piranha-0.4.14-1.i386.rpm
ftp://updates.redhat.com/6.2/i386/piranha-docs-0.4.14-1.i386.rpm
ftp://updates.redhat.com/6.2/i386/piranha-gui-0.4.14-1.i386.rpm
alpha:
ftp://updates.redhat.com/6.2/alpha/piranha-0.4.14-1.alpha.rpm
ftp://updates.redhat.com/6.2/alpha/piranha-docs-0.4.14-1.alpha.rpm
ftp://updates.redhat.com/6.2/alpha/piranha-gui-0.4.14-1.alpha.rpm
sparc:
ftp://updates.redhat.com/6.2/sparc/piranha-0.4.14-1.sparc.rpm
ftp://updates.redhat.com/6.2/sparc/piranha-docs-0.4.14-1.sparc.rpm
ftp://updates.redhat.com/6.2/sparc/piranha-gui-0.4.14-1.sparc.rpm
sources:
ftp://updates.redhat.com/6.2/SRPMS/piranha-0.4.14-1.src.rpm
9. Verification:
MD5 sum Package Name
- --------------------------------------------------------------------------
7c9cad243857f3e90cb73457619ad3a0 6.2/SRPMS/piranha-0.4.14-1.src.rpm
179e502f88f149fe3bfb285af851a6d3 6.2/alpha/piranha-0.4.14-1.alpha.rpm
881622bc6403c2af38834c0deaf05d44 6.2/alpha/piranha-docs-0.4.14-1.alpha.rpm
7ffc63ec6f236afc0b19298ec29e6774 6.2/alpha/piranha-gui-0.4.14-1.alpha.rpm
1e04357c0ebb004185b834152667c644 6.2/i386/piranha-0.4.14-1.i386.rpm
5b6649f14979e1b2fbdb763d88e9a3ac 6.2/i386/piranha-docs-0.4.14-1.i386.rpm
1a49816f280dc7a9b83ba9bab42a247f 6.2/i386/piranha-gui-0.4.14-1.i386.rpm
4153b861f030a17745463c1749732b58 6.2/sparc/piranha-0.4.14-1.sparc.rpm
dc964993d9a3b6c967e5c4455bc24221 6.2/sparc/piranha-docs-0.4.14-1.sparc.rpm
97071e07e2f34fecf80ba48f61e70ba6 6.2/sparc/piranha-gui-0.4.14-1.sparc.rpm
These packages are GPG signed by Red Hat, Inc. for security. Our key
is available at:
http://www.redhat.com/corp/contact.html
You can verify each package with the following command:
rpm --checksig <filename>
If you only wish to verify that each package has not been corrupted or
tampered with, examine only the md5sum with the following command:
rpm --checksig --nogpg <filename>
10. References:
This vulnerability was discovered and researched by Allen Wilson and Dan
Ingevaldson of Internet Security Systems. Red Hat would like to thank ISS
for the assistance in getting this problem fixed quickly.
===
Subject: SECURITY: [RHSA-2000:012] New openldap packages available
From: Cristian Gafton <gafton@redhat.com>
Date: Fri, 21 Apr 2000 14:29:51 -0400 (EDT)
-----BEGIN PGP SIGNED MESSAGE-----
- ---------------------------------------------------------------------
Red Hat, Inc. Security Advisory
Synopsis: New openldap packages.
Advisory ID: RHSA-2000:012-05
Issue date: 2000-04-13
Updated on: 2000-04-21
Product: Red Hat Linux
Keywords: openldap startup symlink overwrite denial
Cross references: N/A
- ---------------------------------------------------------------------
1. Topic:
New openldap packages are available which fix a security
vulnerability in Red Hat Linux 6.1 and 6.2.
2. Relevant releases/architectures:
Red Hat Linux 6.1 - i386 alpha sparc
Red Hat Linux 6.2 - i386 alpha sparc
3. Problem description:
OpenLDAP follows symbolic links when creating files. The default location for
these files is /usr/tmp, which is a symlink to /tmp, which in turn is a
world-writable directory. Local users can destroy the contents of any file on any
mounted filesystem.
4. Solution:
For each RPM for your particular architecture, run:
rpm -Fvh [filename]
where filename is the name of the RPM.
Administrators with existing databases should also move their NEXTID and *.dbb
files from /usr/tmp to /var/lib/ldap, and verify that the 'directory' setting in
/etc/openldap/slapd.conf is changed accordingly.
5. Bug IDs fixed (http://bugzilla.redhat.com/bugzilla for more info):
10714 - Insecure file creation using static files which follow symlinks.
6. Obsoleted by:
N/A
7. Conflicts with:
N/A
8. RPMs required:
Red Hat Linux 6.1:
intel:
ftp://updates.redhat.com/6.1/i386/openldap-1.2.9-6.i386.rpm
alpha:
ftp://updates.redhat.com/6.1/alpha/openldap-1.2.9-6.alpha.rpm
sparc:
ftp://updates.redhat.com/6.1/sparc/openldap-1.2.9-6.sparc.rpm
sources:
ftp://updates.redhat.com/6.1/SRPMS/openldap-1.2.9-6.src.rpm
Red Hat Linux 6.2:
intel:
ftp://updates.redhat.com/6.2/i386/openldap-1.2.9-6.i386.rpm
alpha:
ftp://updates.redhat.com/6.2/alpha/openldap-1.2.9-6.alpha.rpm
sparc:
ftp://updates.redhat.com/6.2/sparc/openldap-1.2.9-6.sparc.rpm
sources:
ftp://updates.redhat.com/6.2/SRPMS/openldap-1.2.9-6.src.rpm
9. Verification:
MD5 sum Package Name
- --------------------------------------------------------------------------
fa79c61565a72407db4695ef8468a482 6.1/alpha/openldap-1.2.9-6.alpha.rpm
058c4aa63710da7490f98da4b3cad53d 6.1/i386/openldap-1.2.9-6.i386.rpm
17fbdb33172a7884f56b4fc746b1b763 6.1/SRPMS/openldap-1.2.9-6.src.rpm
816fccd85990833f7c5dfb7f2dc6e0a1 6.1/sparc/openldap-1.2.9-6.sparc.rpm
fa79c61565a72407db4695ef8468a482 6.2/alpha/openldap-1.2.9-6.alpha.rpm
816fccd85990833f7c5dfb7f2dc6e0a1 6.2/sparc/openldap-1.2.9-6.sparc.rpm
17fbdb33172a7884f56b4fc746b1b763 6.2/SRPMS/openldap-1.2.9-6.src.rpm
058c4aa63710da7490f98da4b3cad53d 6.2/i386/openldap-1.2.9-6.i386.rpm
These packages are GPG signed by Red Hat, Inc. for security. Our key
is available at:
http://www.redhat.com/corp/contact.html
You can verify each package with the following command:
rpm --checksig <filename>
If you only wish to verify that each package has not been corrupted or
tampered with, examine only the md5sum with the following command:
rpm --checksig --nogpg <filename>
10. References:
Thanks also go to Stan Bubrouski for reporting this problem.
===